Issue metadata
Sign in to add a comment
|
Security: heap-buffer-overflow in pdfium
Reported by
seuk...@gmail.com,
Oct 17 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Find a 4 byte OOB READ in pdfium decoding xfa
VERSION
pdfium with asan .
REPRODUCTION CASE
./pdfium_test SIGABRT.PC.7ffff6a73c37.STACK.2a8c125c3.CODE.-6.ADDR.(nil).INSTR.cmp____$0xfffffffffffff000,%rax.pdf
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: pdfium_test
Crash State:
**************************************************************
Rendering PDF file /home/kimyok/honggfuzz/fuzzing/20161013/SIGABRT.PC.7ffff6a73c37.STACK.2a8c125c3.CODE.-6.ADDR.(nil).INSTR.cmp____$0xfffffffffffff000,%rax.pdf.
=================================================================
==12741==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200004a9e0 at pc 0x0000037872cd bp 0x7ffee4fbeed0 sp 0x7ffee4fbeec8
READ of size 4 at 0x60200004a9e0 thread T0
#0 0x37872cc (/home/kimyok/pdfium/pdfium_test_asan+0x37872cc)
#1 0x3787238 (/home/kimyok/pdfium/pdfium_test_asan+0x3787238)
#2 0x37858ff (/home/kimyok/pdfium/pdfium_test_asan+0x37858ff)
#3 0x3b05727 (/home/kimyok/pdfium/pdfium_test_asan+0x3b05727)
#4 0x3b07c7b (/home/kimyok/pdfium/pdfium_test_asan+0x3b07c7b)
#5 0x3b628d8 (/home/kimyok/pdfium/pdfium_test_asan+0x3b628d8)
#6 0x310dd6a (/home/kimyok/pdfium/pdfium_test_asan+0x310dd6a)
#7 0x54d5f8 (/home/kimyok/pdfium/pdfium_test_asan+0x54d5f8)
#8 0x778a71 (/home/kimyok/pdfium/pdfium_test_asan+0x778a71)
#9 0x775229 (/home/kimyok/pdfium/pdfium_test_asan+0x775229)
#10 0x774377 (/home/kimyok/pdfium/pdfium_test_asan+0x774377)
#11 0x7fdb876043a6 (<unknown module>)
#12 0x7fdb87708de3 (<unknown module>)
#13 0x7fdb87709607 (<unknown module>)
#14 0x7fdb87605e54 (<unknown module>)
#15 0x7fdb87706329 (<unknown module>)
#16 0x7fdb87605e54 (<unknown module>)
#17 0x7fdb8764db22 (<unknown module>)
#18 0x7fdb876295c0 (<unknown module>)
#19 0x11fa515 (/home/kimyok/pdfium/pdfium_test_asan+0x11fa515)
#20 0x11f9534 (/home/kimyok/pdfium/pdfium_test_asan+0x11f9534)
#21 0x5c9d79 (/home/kimyok/pdfium/pdfium_test_asan+0x5c9d79)
#22 0x30f8a2a (/home/kimyok/pdfium/pdfium_test_asan+0x30f8a2a)
#23 0x38b5f17 (/home/kimyok/pdfium/pdfium_test_asan+0x38b5f17)
#24 0x37dfa59 (/home/kimyok/pdfium/pdfium_test_asan+0x37dfa59)
#25 0x37def31 (/home/kimyok/pdfium/pdfium_test_asan+0x37def31)
#26 0x37deb8a (/home/kimyok/pdfium/pdfium_test_asan+0x37deb8a)
#27 0x37975a6 (/home/kimyok/pdfium/pdfium_test_asan+0x37975a6)
#28 0x3791ebe (/home/kimyok/pdfium/pdfium_test_asan+0x3791ebe)
#29 0x3791f69 (/home/kimyok/pdfium/pdfium_test_asan+0x3791f69)
#30 0x3791f69 (/home/kimyok/pdfium/pdfium_test_asan+0x3791f69)
#31 0x3791f69 (/home/kimyok/pdfium/pdfium_test_asan+0x3791f69)
#32 0x3792859 (/home/kimyok/pdfium/pdfium_test_asan+0x3792859)
#33 0x3743f62 (/home/kimyok/pdfium/pdfium_test_asan+0x3743f62)
#34 0x23244e9 (/home/kimyok/pdfium/pdfium_test_asan+0x23244e9)
#35 0x50ab2e (/home/kimyok/pdfium/pdfium_test_asan+0x50ab2e)
#36 0x50e04a (/home/kimyok/pdfium/pdfium_test_asan+0x50e04a)
#37 0x7fdbae162f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
0x60200004a9e0 is located 0 bytes to the right of 16-byte region [0x60200004a9d0,0x60200004a9e0)
allocated by thread T0 here:
#0 0x4ef4eb (/home/kimyok/pdfium/pdfium_test_asan+0x4ef4eb)
#1 0x30afcb3 (/home/kimyok/pdfium/pdfium_test_asan+0x30afcb3)
#2 0x30ae48b (/home/kimyok/pdfium/pdfium_test_asan+0x30ae48b)
#3 0x2e356a1 (/home/kimyok/pdfium/pdfium_test_asan+0x2e356a1)
#4 0x2e34aaa (/home/kimyok/pdfium/pdfium_test_asan+0x2e34aaa)
#5 0x2342fec (/home/kimyok/pdfium/pdfium_test_asan+0x2342fec)
#6 0x375ac53 (/home/kimyok/pdfium/pdfium_test_asan+0x375ac53)
#7 0x38bab02 (/home/kimyok/pdfium/pdfium_test_asan+0x38bab02)
#8 0x31190bd (/home/kimyok/pdfium/pdfium_test_asan+0x31190bd)
#9 0x31128bb (/home/kimyok/pdfium/pdfium_test_asan+0x31128bb)
#10 0x150d81f (/home/kimyok/pdfium/pdfium_test_asan+0x150d81f)
#11 0x16fee63 (/home/kimyok/pdfium/pdfium_test_asan+0x16fee63)
#12 0x16f4963 (/home/kimyok/pdfium/pdfium_test_asan+0x16f4963)
#13 0x16f33ff (/home/kimyok/pdfium/pdfium_test_asan+0x16f33ff)
#14 0x14cbf5c (/home/kimyok/pdfium/pdfium_test_asan+0x14cbf5c)
#15 0x14cda9a (/home/kimyok/pdfium/pdfium_test_asan+0x14cda9a)
#16 0x14edc96 (/home/kimyok/pdfium/pdfium_test_asan+0x14edc96)
#17 0x14ecd75 (/home/kimyok/pdfium/pdfium_test_asan+0x14ecd75)
#18 0x7fdb876043a6 (<unknown module>)
#19 0x7fdb87708d62 (<unknown module>)
#20 0x7fdb87709607 (<unknown module>)
#21 0x7fdb87605e54 (<unknown module>)
#22 0x7fdb87706329 (<unknown module>)
#23 0x7fdb87605e54 (<unknown module>)
#24 0x7fdb8764db22 (<unknown module>)
#25 0x7fdb876295c0 (<unknown module>)
#26 0x11fa515 (/home/kimyok/pdfium/pdfium_test_asan+0x11fa515)
#27 0x11f9534 (/home/kimyok/pdfium/pdfium_test_asan+0x11f9534)
#28 0x5c9d79 (/home/kimyok/pdfium/pdfium_test_asan+0x5c9d79)
#29 0x30f8a2a (/home/kimyok/pdfium/pdfium_test_asan+0x30f8a2a)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kimyok/pdfium/pdfium_test_asan+0x37872cc)
Shadow bytes around the buggy address:
0x0c04800014e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800014f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001500: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001510: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001520: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c0480001530: fa fa fd fd fa fa fd fd fa fa 00 00[fa]fa fd fd
0x0c0480001540: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001550: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001560: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001570: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480001580: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12741==ABORTING
==============================================================
STACK:
<0x00007ffff6a77028> [[UNKNOWN]():0]
<0x00000000004e2506> [_ZN11__sanitizer5AbortEv():0]
<0x00000000004dd795> [_ZN11__sanitizer3DieEv():0]
<0x00000000004c8a17> [_ZN6__asan19ScopedInErrorReportD2Ev():0]
<0x00000000004c8390> [_ZN6__asan18ReportGenericErrorEmmmmbmjb():0]
<0x00000000004c8d7b> [__asan_report_load4():0]
<0x00000000034e4fdd> [_ZNK11CXFA_Object6IsNodeEv():58]
<0x00000000034e4f49> [_ZN11CXFA_Object6AsNodeEv():787]
<0x00000000034e32e0> [_Z6ToNodeP11CXFA_Object():803]
<0x0000000003897698> [_ZN17CXFA_FM2JSContext21GetObjectDefaultValueEP12CFXJSE_ValueS1_():6160]
<0x0000000003899bec> [GetSimpleValue():6021]
<0x00000000038f4899> [minus_operator():5367]
<0x00000000036c9d9b> [FXJSE_V8FunctionCallback_Wrapper():41]
<0x0000000000a385d0> [GetReturnValue<v8::internal::Object>():57]
<0x0000000000bdc30c> [HandleApiCallHelper():5090]
<0x0000000000c898c6> [ToHandle<v8::internal::Object>():220]
<0x0000000000c119b7> [Builtin_HandleApiCall():5105]
<0x00007fffd0106307> [[UNKNOWN]():0]
<0x00007fffd0172980> [[UNKNOWN]():0]
<0x00007fffd0173338> [[UNKNOWN]():0]
<0x00007fffd0107b75> [[UNKNOWN]():0]
<0x00007fffd016d627> [[UNKNOWN]():0]
<0x00007fffd0107b75> [[UNKNOWN]():0]
<0x00007fffd0142ea3> [[UNKNOWN]():0]
<0x00007fffd012660f> [[UNKNOWN]():0]
<0x00000000014b84fe> [Invoke():98]
<0x00000000014b7b25> [Call():154]
<0x0000000000aa7c49> [ToHandle<v8::internal::Object>():220]
<0x00000000036d915b> [ExecuteScript():212]
<0x00000000036800b8> [RunScript():141]
<0x000000000353989a> [ExecuteScript():650]
<0x0000000003538d72> [_ZN14CXFA_WidgetAcc12ProcessEventER10CXFA_EventP15CXFA_EventParam():331]
<0x00000000035389cb> [_ZN14CXFA_WidgetAcc12ProcessEventEiP15CXFA_EventParam():312]
<0x00000000034f1097> [_ZL16XFA_ProcessEventP14CXFA_FFDocViewP14CXFA_WidgetAccP15CXFA_EventParam():428]
<0x00000000034ebb0f> [_ZN14CXFA_FFDocView28ExecEventActivityByDeepFirstEP9CXFA_Node13XFA_EVENTTYPEiiS1_():454]
<0x00000000034ebbba> [_ZN14CXFA_FFDocView28ExecEventActivityByDeepFirstEP9CXFA_Node13XFA_EVENTTYPEiiS1_():464]
<0x00000000034ebbba> [_ZN14CXFA_FFDocView28ExecEventActivityByDeepFirstEP9CXFA_Node13XFA_EVENTTYPEiiS1_():464]
<0x00000000034ebbba> [_ZN14CXFA_FFDocView28ExecEventActivityByDeepFirstEP9CXFA_Node13XFA_EVENTTYPEiiS1_():464]
<0x00000000034ec4aa> [_ZN14CXFA_FFDocView10StopLayoutEv():127]
<0x00000000034a0df2> [_ZN16CPDFXFA_Document10LoadXFADocEv():134]
<0x00000000024488da> [FPDF_LoadXFA():396]
<0x00000000005088d0> [_Z9RenderPdfRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPKcmRK7OptionsS7_():711]
<0x000000000050b51e> [main():879]
<0x00007ffff6a5ef45> [[UNKNOWN]():0]
<0x0000000000423035> [_start():0]
<0x0000000000000000> [[UNKNOWN]():0]
=====================================================================
,
Oct 17 2016
,
Oct 17 2016
,
Oct 17 2016
This is an XFA bug, XFA is not enabled in any branch of Chromium.
,
Oct 18 2016
Thanks dsinclair@ for pointing this out, in this case I'm setting impact None.
,
Oct 18 2016
,
Oct 19 2016
It doen't impact Chromium. But it impact the thirdparty library pdfium. Would you please request a CVE for pdfium? Thanks.
,
Oct 19 2016
,
Nov 15 2016
Please reply me. Thanks.
,
Nov 15 2016
In general we only assign CVEs to issues that impact the currently released versions of our software, and XFA is still in development. It's unlikely that a CVE will be assigned to this.
,
Nov 16 2016
mbarbella@ is correct, this doesn't meet the criteria for a CVE I'm sorry to say.
,
Sep 19 2017
,
Sep 20 2017
,
Sep 20 2017
I am not able to reproduce this bug using either ASAN or valgrind. Given that this report is almost a year old, I am pretty sure that another CL fixed the underlying issue. Please reopen if you have a test case that demonstrates this issue.
,
Sep 21 2017
,
Dec 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 1
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Oct 17 2016Components: Internals>Plugins>PDF
Labels: Security_Severity-High Pri-1
Owner: tsepez@chromium.org
Status: Available (was: Unconfirmed)
I've reproduced the crash locally. Passing over to PDFium folks. ==48376==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001b900 at pc 0x000001d46867 bp 0x7ffe5c8ffd40 sp 0x7ffe5c8ffd38 READ of size 4 at 0x60200001b900 thread T0 #0 0x1d46866 in CXFA_Object::IsNode() const third_party/pdfium/xfa/fxfa/parser/xfa_object.h:59:12 #1 0x1d4681d in CXFA_Object::AsNode() third_party/pdfium/xfa/fxfa/parser/xfa_object.h:792:10 #2 0x1eb5797 in CXFA_FM2JSContext::GetObjectDefaultValue(CFXJSE_Value*, CFXJSE_Value*) third_party/pdfium/xfa/fxfa/fm2js/xfa_fm2jscontext.cpp:6155:22 #3 0x1eb5bea in CXFA_FM2JSContext::GetSimpleValue(CFXJSE_Value*, CFXJSE_Arguments&, unsigned int) third_party/pdfium/xfa/fxfa/fm2js/xfa_fm2jscontext.cpp:6015:3 #4 0x1ed7b7b in CXFA_FM2JSContext::minus_operator(CFXJSE_Value*, CFX_StringCTemplate<char> const&, CFXJSE_Arguments&) third_party/pdfium/xfa/fxfa/fm2js/xfa_fm2jscontext.cpp:5361:45 #5 0x1aa6593 in (anonymous namespace)::V8FunctionCallback_Wrapper(v8::FunctionCallbackInfo<v8::Value> const&) third_party/pdfium/fxjs/cfxjse_class.cpp:28:3 #6 0x514888 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:19:3 #7 0x601ec0 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:106:36 #8 0x6008ec in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:135:5 #9 0x60018c in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:123:1 #10 0x7f5a286043a6 (<unknown module>) .....